1. Introduction to ARP protocol
ARP, the full name is Address Resolution Protocol, and its Chinese name is Address Resolution Protocol. It works at the data link layer, contacts the hardware interface at this layer, and provides services to the upper layer at the same time .
IP packets are often sent over Ethernet . Ethernet devices do not recognize 32-bit IP addresses . They transmit Ethernet packets with 48-bit Ethernet addresses. Therefore, the IP destination address must be converted into an Ethernet destination address. In Ethernet, if a host wants to communicate directly with another host, it must know the MAC address of the target host. But how is this target MAC address obtained? It is obtained through the Address Resolution Protocol. The ARP protocol is used to resolve IP addresses in the network into hardware addresses (MAC addresses) to ensure smooth communication .
The header structure of ARP is shown in Figure 1.
| Hardware type |
agreement type |
|
| Hardware address length |
protocol length |
Operation type |
| Sender’s hardware address (0-3 bytes) |
||
| Source physical address (4-5 bytes) |
Source IP address (0-1 bytes) |
|
| Source IP address (2-3 bytes) |
Target hardware address (0-1 bytes) |
|
| Target hardware address (2-5 bytes) |
||
| Destination IP address (0-3 bytes) |
||
(Figure 1 ARP/RARP header structure)
- The hardware type field specifies the hardware interface type that the sender wants to know. The value of Ethernet is 1;
- The protocol type field indicates the high-level protocol type provided by the sender, IP is 0800 (hexadecimal);
- The hardware address length and protocol length specify the length of the hardware address and high-level protocol address, so that ARP messages can be used in networks with any hardware and any protocol;
- The operation field is used to indicate the type of this message, ARP request is 1, ARP response is 2, RARP request is 3, RARP response is 4;
- Sender's hardware address (0-3 bytes): the first 3 bytes of the source host hardware address;
- Sender's hardware address (4-5 bytes): the last 3 bytes of the source host hardware address;
- Sender IP (0-1 bytes): the first 2 bytes of the source host hardware address;
- Sender IP (2-3 bytes): the last 2 bytes of the source host hardware address;
- Destination hardware address (0-1 bytes): the first 2 bytes of the destination host hardware address;
- Destination hardware address (2-5 bytes): the last 4 bytes of the destination host hardware address;
- Destination IP (0-3 bytes): IP address of the destination host.
2. ARP spoofing
2.1 Deception
The purpose of automatic ARP learning is for the hosts on both sides of the communication to request/notify each other of MAC addresses, and thereby complete the exchange of Layer 2 Ethernet frames. Due to the bidirectional nature of communication, it is obvious that if the ARP information of either party is empty or wrong, Then communication will fail. The purpose of ARP spoofing is to frequently send error messages to deceive any party communicating on the network, eventually leading to the failure of normal communication.
So how to prevent ARP spoofing? Fundamentally speaking, the IP-MAC address correspondence information of both parties must be correct. As we said before, ARP is automatically learned and is informed by others through the interaction of ARP Request and Response messages. It is this feature that allows ARP spoofing. With an opportunity available, obviously the most effective way is not to use the "learning" mechanism. Now many equipment manufacturers implement it this way. However, configuring static ARP is very workload-intensive and post-maintenance is extremely inconvenient. Assume that the host in the LAN The number is N, then the minimum number of ARP entries to be configured is N+(N-1)=2N-1; if N=200, it means that a total of 400 entries will be configured in the end, not counting the original IP and MAC address information. Collection, proofreading and maintenance work. If you want to bind ARP to the entire network, the total entries can reach N (N-1), which is even more amazing.
Is it possible to avoid the cumbersome method of static ARP binding? There is no solution for Windows hosts; but we can start with routers and Layer 3 Switches. To answer this question, we must first understand the specific process of ARP spoofing and first look at the experimental topology:
Since it is difficult to find a suitable virus to reproduce real ARP spoofing, we installed Jusheng Network Management (also called Netsense and P2P Terminator) to simulate it. The basis of its implementation is ARP spoofing.
In this environment, a router is used as a gateway to perform NAT operations. Two PCs are connected to the intranet, and Jusheng Network Management is installed on one of them to perform ARP spoofing. At the beginning, the MAC address corresponding to 192.168.1.6 in the PC's ARP table is correct. Then start Jusheng Network Management to see the phenomenon:
1. In the first stage, ARP Cheater will send a large number of ARP Requests to scan the PCs in the intranet one by one:
Under normal circumstances, the LAN PC will respond to the ARP Request. ARP Cheater relies on this to confirm and collect information about the PCs that have been started in the intranet, and form a local database.
2. In the second stage, Cheater begins to perform actual deception. The process is to send free ARP Response to the real gateway and PC at the same time to forcibly update its ARP Table.
Among them, what is sent to PC is:
Obviously, the ARP content that Cheater forcibly advertises to the PC is wrong, because 00-0D-60-8C-0D-C9 and 192.168.1.6 are Cheater's MAC address and the router's gateway IP respectively.
Secondly, what is sent to the gateway router is:
In this information, 00-00-E2-58-AC-EA and 192.168.1.158 both correspond to ordinary PCs and are correct information. Cheater sends ARP forced update information to the gateway on behalf of the PC to ensure that communication can be normal. Finish.
After the spoofing is completed, all PCs in the LAN send data packets to the ARP Cheater based on the wrong ARP information, and the Cheater forwards it to the real server on the public network through the router; when the data packet returns from the public network to the router, the router will The data packet returns directly to the PC without passing through the ARP Cheater (if necessary, it can also pass through the ARP Cheater), see the previous topology diagram.
In this way, ARP spoofing is completed, and the ARP information about the gateway on the PC has changed; however, in order to "consolidate" the results, Jusheng Network Management spoofs again every 2 seconds.
Of course, Jusheng Network Management is not a virus, Trojan or malicious program, but it uses ARP spoofing to direct all host traffic from all LANs to its own network card. With this, Jusheng Network Management can perform corresponding processing. Filtered and restricted.
The more popular password-stealing Trojan programs are based on this principle. Of course, the password is only entered when the user logs in, so the Trojan program will deliberately make its own network card invalid and then restore it immediately. At this time, users on the intranet I thought it was because of poor network quality that I was disconnected, so I logged in again and entered my password...
Although the above two situations are ARP spoofing, the network is still running normally most of the time; if you just want to interrupt the network, then ARP Cheater only needs to send free ARP Response frequently. Of course, the Sender Address contained in it is wrong.
2.2 How to deal with ARP spoofing?
As mentioned earlier, ARP spoofing may deceive the gateway router or the PC on the intranet. Let's analyze these two situations below.
2.2.1 Avoid ARP spoofing PC
To find a countermeasure, you must first identify the characteristics of ARP spoofing:
1. When ARP spoofing occurs
No matter what the purpose is, the first and most critical step in ARP spoofing is to send wrong gateway ARP information to the LAN host through free ARP Response information. There are no more than two methods:
In this network segment, a large number of ARP Request scans are first sent to collect currently active hosts through Response messages, and then a free ARP Response is sent to each host; in this case, the router can only see a fixed MAC address. A large number of ARP request broadcasts are issued, and this process may be repeated periodically.
Second, ARP Cheater does not need to find the host IP of the LAN one by one. It directly pretends to be the gateway and announces the entire network through free ARP Response broadcast. In this case, free ARP Response messages should be observed on the router, and its Sender Internet Addr The information is your own IP address, and as you can see from the above experiment, this kind of free ARP Response broadcast messages are very frequent.
No matter what the situation is, the purpose is to deceive the PC. Although the router may determine the occurrence of ARP spoofing through certain characteristics, it cannot stop it at all because the router has no control over the PC.
2. After ARP spoofing occurs
What happens after ARP spoofing occurs? Of course, the PC's ARP table has been tampered with. Of course, we can clear the ARP table entries manually and relearn them. However, ARP spoofing is constantly repeated, and the workload of manual maintenance is probably far greater than the "static ARP" mentioned above. , obviously the feasibility is zero.
Since the manual method doesn't work, what about the automatic method? Like ARP Cheater, we can consider letting gateway routers or other dedicated hosts send free ARP broadcasts to notify the entire network of correct gateway ARP information. If the ARP spoofing in the network is not very frequent, this method is feasible; but if it is like the case of Jusheng Network Management, ARP spoofing is once every 2 seconds, the ARP table of the PC must be correct, and the free ARP sent by the router or dedicated host must be correct. Response broadcasts must be more frequent. Even so, the ARP table of the intranet PC may still be in the process of frequent changes, causing packet loss in normal communication. At the same time, the entire network will be filled with a large amount of Ethernet. Internet broadcast, I don’t think anyone wants to see this. The configuration of arp gratuitous interval xx on the internal network port of RG Router actually sends arp Response to the network regularly;
To sum up, it can be concluded that the router itself is basically powerless against ARP spoofing of intranet hosts, at least the effect is very limited. Therefore, when dealing with ARP spoofing, the PC still obediently performs static ARP binding measures. For example, configure the autoexec.bat batch file on the PC:
@echo off
Arp –d
Arp –s 192.168.1.1 00-d0-0f-23-44-89
This enables the correct MAC address of the gateway to be statically bound on the PC to prevent gateway spoofing;
On the RG 2126G switch, you can use anti-arp-spoofing ip xxx.xxx.xxx.xxx under the port.
xxx.xxx.xxx.xxx is the gateway address; RG 2126G will prevent the packets whose source IP is the gateway address of this network segment from entering from this port; to prevent the PC connected to the port from sending ARP Response to spoof the gateway of other PCs. ARP Request message;
2.2.2 Avoid ARP spoofing routers
Different from the situation with PCs, since routers and Layer 3 Switches are three-layer devices, almost no upper-layer applications communicate directly with intranet hosts, so their ARP entries are usually not obtained by active request, but passively learned. For example, receiving an ARP Request or a free ARP Response. The former is normal and is not within the scope of our discussion; and the latter is a means for ARP Cheater to deceive the gateway router.
It can be analyzed in two stages:
1. When ARP spoofing occurs
Under normal circumstances, ARP Cheater forcibly notifies the router and Layer 3 Switch of incorrect host ARP information through unicast free ARP Response. Moreover, due to the large number of hosts on the intranet, the router and Layer 3 Switch will receive the error every time. A large number of free ARP Response unicast messages. Their Sender Internet Addr is the host IP address of the LAN, but the Sender Hardware Addr is the MAC address of the network card of the ARP Cheater.
Obviously, routers and Layer 3 Switches can determine whether spoofing has occurred based on the characteristics of gratuitous ARP Response messages. However, when the determination is made, the result of ARP spoofing has already been caused.
2. After ARP spoofing occurs
Since the ARP table entries of the router and Layer 3 Switch are passively learned, after ARP spoofing occurs, the router and Layer 3 Switch must actively query the correct ARP information. There is probably only one method: based on the existing ARP table. The IP address list in the item is mandatory to send ARP Request one by one, and update and correct its own ARP Table through the other party's Response information. Obviously this workload is huge. Especially when ARP Cheater spoofing is very frequent, the ARP "self-correction" mechanism of routers and Layer 3 Switches seems too feeble.
2.3 Other methods to deal with ARP spoofing
From the previous analysis, it is almost impossible to prevent ARP spoofing simply through the ARP mechanism itself. So what other ways to avoid it?
2.3.1 Hardware perspective
After all, a router is a three-layer device, and its support and processing of the ARP Layer 2 protocol is always limited; can we start with a LAN switch?
Because the result after ARP occurs (wrong ARP information) is stored in the gateway router and host and has nothing to do with the switch, it must be processed through the switch. The key point is one word: "prevention". Judging from the previous analysis, no matter how it is deceived, its key feature is to send free ARP Response messages, and the Sender information in the ARP field does not match its own MAC address. If the Layer 2 Ethernet switch can check the validity of the ARP message judgment, then corresponding shielding can naturally be carried out;
This technology does not seem difficult in advance, but it involves the support of switch ASIC chips and the increase of software functions. Its feasibility and cost-effectiveness still need to be verified; at the same time, broadband routers and switches need to be promoted to users as a whole. Ruili Network's routing and switching integrated solutions in broadband markets such as Internet cafes are now based on this principle.
This idea should be able to solve the occurrence of ARP spoofing from the source, but the requirements for switches are relatively high, not only in terms of functions, but also in terms of performance, stability, and cost-effectiveness.
On the RG 27 and 29 series switches, the hardware architecture is designed so that the switch can check the Source IP and Source MAC of the ARP packet based on the packet type. For example, if the packet type is 0X0806, it will The bound IP address and the corresponding MAC address are used to filter out the attacker's deceptive ARP Response, thereby preventing the implementation of ARP Attacking from the root cause;
2.3.2 Software perspective
Simply using ARP features cannot solve the problem of ARP spoofing, so what other solutions are there in terms of software? There are still methods, you can take a look at Aitai’s solution:
Since ARP spoofing ultimately affects the contents of the ARP table entries, and the contents in the table are dynamically learned, so the ARP mechanism is unsafe, then why don't I abandon the ARP automatic learning mechanism? Of course we are not talking about manual static ARP binding. The specific processing method is to put the relevant information of the ARP entry into the NAT entry for processing together.
It turns out that the main contents of the NAT table entries include six pieces of information: source IP address before NAT conversion, source TCP/UDP port before conversion, source IP address after conversion, TCP/UDP port after conversion, destination IP address, and destination port. The corresponding relationship between the IP address and the MAC address before conversion is achieved by the dynamic learning mechanism of ARP.
Now, the contents of the NAT table are adjusted to: source IP address before NAT translation, source MAC address before translation , source TCP/UDP port before translation, source IP address after translation, TCP/UDP port after translation, destination IP address, destination port and other 7 pieces of information. This newly added source MAC address does not need to be used as the basis for NAT judgment. Its function is to allow the data packet to return from the public network side to the router. After NAT conversion, it can be sent back to the correct PC host.
So how can we ensure that the data packets of the PC host are not affected by ARP spoofing and are sent to the router correctly? It's very simple, perform manual static ARP binding. As analyzed earlier, the router is powerless when it comes to ARP deceiving the PC host.
In this way, the PC can send the data packet to the gateway router based on the static (correct) ARP information. When the router records the necessary information and transfers it to the NAT cache, it also records the similarity and difference of the source MAC address of the Ethernet frame and writes it to the NAT. cache, as a reference when the data packet is returned.
The advantage of this method is that it does not require a switch to avoid ARP spoofing, but the PC host still needs to perform manual ARP binding. It can be said that this is a compromise from a "hardware perspective". The disadvantage is that there are many factors involved in NAT storage and judgment, which will inevitably affect performance; and this mechanism can only prevent the communication between the PC and the router from being interfered by ARP spoofing, but it is powerless for the communication between PCs.
2.3.3 Negative perspective
What is the negative angle? To put it simply, there is no other way. I don’t need ARP, so how do I communicate on the Ethernet? PPPoE! In theory, this can indeed completely avoid the ARP problem, but in actual application, the router needs to act as a PPPoE server, so that all LAN communication traffic must be forwarded through the router at Layer 3. The processing pressure on routers can be imagined - but there are actual cases of such networks, such as ISP's operation and maintenance office network, but their purpose of using PPPoE is more importantly for network information security and management.
2.4 Suggestions
Regarding ARP spoofing, there is probably no good solution just from ARP itself. To solve or avoid the problem of ARP spoofing, some surgery is required.
As for ordinary ARP conflicts, I think it can be strengthened at that time:
u After confirming that there is an IP conflict in the network, the router and Layer 3 Switch will immediately send a free ARP Request to determine that the conflict has disappeared. If the conflict continues to exist, it will forcefully send a free ARP Response.
ü Is it possible to consider delaying a period of time before sending a free ARP Request? This is used to prevent the Windows host from not processing the situation in an "abnormal" state in a timely manner;
ü Secondly, if the conflict continues to exist, send an ARP Response; it is more reasonable to repeat the free ARP Request detection. If the conflict exists, force the free ARP Response notification until the conflict disappears.
2.5 Summary
Among the two main types of ARP problems, general non-malicious address conflicts will not have a substantial impact on routers and Layer 3 Switches. As for the ARP spoofing mechanism for various purposes, whether in terms of prevention or later intervention, the router has no direct and effective means?
Although bidirectional static ARP can now be used to avoid the impact of ARP spoofing, it is very inconvenient in terms of implementation and later maintenance, and it is not error-prone.
A better way out is to improve the switch from the hardware structure to achieve a balance between cost and function. This is the fundamental way to prevent ARP problems.
This article is excerpted from: Talking about ARP spoofing_Technical blog exploring the secrets of solution marketing_51CTO blog